So I have thought a bit about hardening a Debian squeeze file & VPN server
lately.
Right now, we've placed the machine behind a firewall only allowing SSH connections from LAN, set a strong root password and installed unattended-upgrades to keep us fresh on those security fixes.

unattended-upgrades is quite a bad idea. Your sysadmin should be keeping an eye on the mailing list and committing those fixes manually as needed. It promotes laziness and not keeping up to date with security issues.
–
Chris DownFeb 4 '12 at 13:30